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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. 

Applicant's submission filed on 6-10-2009 has been entered. 

2. Claims 1 - 4, 6 - 16, 18 - 26, 28 - 34 are pending. Claims 5, 17, 27 have been 
cancelled. Claims 1, 13, 23 are independent. This application was filed 12-23-2003. 

Response to Arguments 

3. Applicant's arguments have been fully considered but are moot based on new 
grounds of rejection. 

3.1 Applicant argues that the referenced prior art does not disclose, the transfer of 
both a session ID and a timestarnp between systems, (see Remarks Pages 2-11) 

Williams prior art discloses the transfer of a timestarnp parameter (within the token 
data structure) between two network-connected systems, (see Williams paragraph 
[0050], lines 1-5: token may include an optional timestarnp) 

And, the Woods prior art discloses the direct transfer of session state parameters 



Application/Control Number: 10/733,326 Page 3 

Art Unit: 2436 

such as a session ID parameter and a time/date parameter between network-connected 
entities, (see Wood paragraph [0050], Sines 15-17: some parameters can be passed 
directly between systems) The Williams and Woods combination discloses the 
transfer of a session ID and a timestamp parameter. - 

The LEVY prior art discloses the transfer of both a session ID parameter and a 
time and date or timestamp parameter between network-connected systems. (LEVY 
paragraph [0070], lines 3-9: record is created; record consists of sessionjd, date and 
time (timestamp)) 

Bachman prior art is not used to disclose the transfer of a session ID and a 
timestamp between network-connected systems, (see Remarks Page 11) 

Ail references (Williams, Wood, and LEVY) disclose the transfer of session 
information such as identifiers, time/date information such as timestamps, and session 
state information between network-connected systems (servers, clients). Clearly, a 
timestamp is a parameter available for transfer between systems in the management of 
session information. 

Williams prior art discloses a system for secure session management within a 
collection of web server systems (web farm) using a session token. The claim 
limitations disclose that the token is renewed after each use. (see Specification Page 2, 
Paragraph [0006], lines 7-9) In the Williams prior art a session management web 
service updates the session token with each received request, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], lines 4-7: generate new encrypted 
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session token and transfer) In addition, the Wiliiams prior art discloses the capability to 
encrypt and decrypt the designated session token. 

Williams prior art discloses that the server is utilized for authentication and session 
token(s) generation. Also, the Williams prior art discloses the capability for session 
tokens to be encrypted and decrypted during session token processing, (see Williams 
paragraph [0051], lines 14-16: encryption/decryption utilized for security) Once client 
access procedures are completed, the Williams prior art processes service requests to 
access a required resource. 

Wiliiams and Woods prior art combination discloses that if the request must be 
redirected to a different server where the requested resource is located (see Williams 
paragraph [0067], lines 12-18: redirection of session token and session information, 
redirection request for resources) then the decrypted session token is transmitted to the 
new server (see Wood paragraph [0044], lines 8-14; paragraph [0051], lines 1-3: 
session token with redirection request) and the session management web service 
generates a new session token to be used in place of the previous session token. The 
new session token is transmitted with the requested web resource. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made 
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to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

5. Claims 1 - 4, 6, 9 - 16, 18, 21 - 26, 28, 31 - 34 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Williams et al. (US PGPUB No. 20030005118) in 
view of Wood et al. (US PGPUB No. 20040210771) and further in view of LEVY et al. 
(US PGPUB No. 20020124074). 

With Regards to Claims 1, 23, Williams discloses a method, computer program 
product of secure session management for a web farm, the web farm including a first 
server and a second server, the second server having a requested web page, the 
method comprising: 

a) receiving, at the first server, a request for the requested web page from a 
browser, said request including an encrypted session token associated with a 
session; (see Williams paragraph [0016], lines 1-4: session management; 
paragraph [0019], lines 1-5: request processing; paragraph [0016], lines 1-4: 
session token; paragraph [0050], lines 10-16; paragraph [0051], lines 14-16: 
encryption utilized for security; paragraph [0016], lines 1-4: program product) 

Furthermore, Williams discloses the following: 

b) decrypting said encrypted session token at the first server to obtain a session 
information; (see Williams paragraph [0020], lines 8-1 1 : validate (must decryption 
required to process encrypted information) session information, process 
encrypted session information; paragraph [0016], lines 1-4: program product) 

d) verifying said session, (see Williams paragraph [0020], lines 8-11; paragraph 
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[0074], lines 7-1 1 : validate session token information, client and session 
identification information; paragraph [0016], lines 1-4: program product) 

Furthermore, Williams discloses redirecting said request to the second server, (see 
Williams paragraph [0067], lines 12-18: redirection of session information) 

Williams does not specifically disclose including the transmission of said session 
token to the second server in a redirect request. 
However, Wood discloses: 

c) including transmitting said session token to the second server; (see Wood 
paragraph [0044], lines 8-14; paragraph [0051], lines 1-3: session token with 
redirection request) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
for transmitting a session token and session state information to a second server as 
taught by Wood. One of ordinary skill in the art would have been motivated to 
employ the teachings of Wood to upgrade session credentials and maintain session 
continuity, (see Wood paragraph [0016], lines 11-16) 

Williams-Wood does not specifically disclose the transfer of a session ID parameter 
and a time and date (timestamp) parameter between two network connected 
systems (servers). 

However, LEVY discloses: for a); b): wherein including transmitting said session ID 
and timestamp directly to the second server. (LEVY paragraph [0070], lines 3-9: 
record is created; record consists of session id, date and time (timestamp)) 
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The explicit transfer of a session !D and a timestamp (both parameters) between 
network-connected systems is disclosed. 

It would have been obvious to one of ordinary skill in the art to modify Williams- 
Wood for the transfer of a session ID parameter and time and date (timestamp) 
parameter as taught by LEVY. One of ordinary skill in the art would have been 
motivated to employ the teachings of LEVY to enable real-time monitoring of 
systems to greatly assist in the management of sessions between network- 
connected systems, (see LEVY paragraph [0027], lines 1-5) 

With Regards to Claims 2, 24, Williams discloses the method, computer program 
product claimed in claims 1, 23, further including creating a new session token, 
encrypting said new session token at the second server to produce a new encrypted 
session token, and transmitting a response to said browser from the second server, 
wherein said response includes said new encrypted session token, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], lines 4-7: generate new encrypted 
session token and transfer; paragraph [0016], lines 1-4: software implementation, 
program product) 

With Regards to Claims 3, 5, 15, 25, Williams discloses the method, system, computer 
program product claimed in claims 2, 13, 14, 23, 24, wherein said creating a new 
session token includes generating a new session ID and updating said timestamp. (see 
Williams paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: session token, 
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session ID and timestamp; paragraph [0016], lines 1-4: software implementation, 
program product) 

With Regards to Claims 4, 16, 26, Williams discloses the method, system, computer 
program product claimed in claims 2, 14, 24, further including a step of updating a 
common session database by replacing said session information with said new session 
token in said common session database, (see Williams paragraph [0069], lines 9-15: 
database for session token information storage paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams does not disclose the transfer of a session ID parameter and a time and date 
(timestamp) parameter between two network connected systems. 
However, LEVY discloses transmitting said session ID and timestamp directly to the 
second server. (LEVY paragraph [0070], lines 3-9: record is created; record consists of 
sessionjd, date and time (timestamp)) 

The explicit transfer of a session ID and a timestamp (both parameters) between 
network-connected systems is disclosed. 

It would have been obvious to one of ordinary skill in the art to modify Williams for 
the transfer of a session ID parameter and time and date (timestamp) parameter as 
taught by LEVY. One of ordinary skill in the art would have been motivated to employ 
the teachings of LEVY to enable real-time monitoring of systems to greatly assist in the 
management of sessions between network-connected systems, (see LEVY paragraph 
[0027], lines 1-5) 
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With Regards to Claims 6, 18, 28, Williams discloses the method, system, computer 
program product claimed in claims 1,17, 23, wherein a common session database 
contains a stored session ID and a stored timestamp, and wherein said verifying 
includes comparing said session ID and said timestamp with said stored session ID and 
said stored timestamp. (see Williams paragraph [0069], lines 9-15: database for session 
token information storage; paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: 
session token, session ID and timestamp; paragraph [0020], lines 8-1 1 : verification 
session information paragraph [0016], lines 1-4: software implementation, program 
product) 

With Regards to Claims 9, 21, 31, Williams discloses the method, system, computer 
program product claimed in claims 1,13, 23, wherein said step of transmitting includes 
incorporating said session information into a URL. (see Williams paragraph [0044], lines 
8-12: URL processing techniques utilized paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams-Wood does not specifically disclose incorporating a session !D parameter and 
a time and data (timestamp) parameter into a record. 

However, LEVY discloses incorporating said session SD and timestamp into a record. 
(LEVY paragraph [0070], lines 3-9: record is created; re cord consists of sessionjd, 
date and time (timestamp)) 

The explicit transfer of a session ID and a timestamp (both parameters) between 
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network-connected systems is disclosed. 

It would have been obvious to one of ordinary skill in the art to modify Williams for 
incorporating said a session ID parameter and a time and date (timestamp) parameter 
into a record as taught by LEVY. One of ordinary skill in the art would have been 
motivated to employ the teachings of LEVY to enable real-time monitoring of systems to 
greatly assist in the management of sessions between network-connected systems, 
(see LEVY paragraph [0027], lines 1-5) 

With Regards to Claims 10, 32, Williams discloses the method, computer program 
product claimed in claims 1 , 23, wherein a session management web service performs 
said step of verifying, said session management web service being accessible to said 
first server and said second server, and wherein said verifying includes comparing said 
session information with stored session data, (see Williams paragraph [0020], lines 8- 
11: session information verification paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams does not specifically disclose transferring said session ID and time and date 
(timestamp) between systems. 

However, LEVY discloses transferring said session SD and timestamp between systems. 
(LEVY paragraph [0070], lines 3-9: record is created; record consists of session., id, 
date and time (timestamp)) 

The explicit transfer of a session ID and a timestamp (both parameters) between 
network-connected systems is disclosed. 
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It would have been obvious to one of ordinary skill in the art to modify Williams for 
the transfer of session ID and time and date (timestamp) between systems as taught by 
LEVY, One of ordinary skill in the art would have been motivated to employ the 
teachings of LEVY to enable real-time monitoring of systems to greatly assist in the 
management of sessions between network-connected systems, (see LEVY paragraph 
[0027], lines 1-5) 

With Regards to Claims 11, 33, Williams discloses the method, computer program 
product claimed in claims 10, 32, wherein the web farm further includes a common 
session database containing said stored session data, (see Williams paragraph [0013], 
lines 5-9; paragraph [0036], lines 3-4: web farms, set of interconnected web servers 
paragraph [0016], lines 1-4: software implementation, program product) 

With Regards to Claims 12, 22, 34, Williams discloses the method, system, computer 
program product claimed in claims 1,13, 23, wherein said requested web page includes 
a web resource selected from the group including an applet, an HTML page, a Java 
server page, and an Active server page, (see Williams paragraph [0044], lines 3-8; 
paragraph [0042], lines 8-15: protected resource, a HTML web page paragraph [0016], 
lines 1-4: software implementation, program product) 

With Regards to Claim 13, Williams discloses a system for secure session 
management, the system being coupled to a network and receiving a request for a 
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requested web page from a browser via the network, the request including an encrypted 
session token, the system comprising: 

b) a second server including the requested web page; (see Williams paragraph 
[0013], lines 5-9: multiple servers; paragraph [0044], lines 3-8; paragraph [0042], 
lines 8-15: resource requested, a HTML web page) 

Furthermore, Williams discloses: 

c) a common session database including stored session data; (see Williams 
paragraph [0069], lines 9-15: database for session token information storage) 

Furthermore, Williams discloses the foiiowing: 

a) a first server including a first request handler for receiving the request and 
decrypting the encrypted session token to produce a session information, (see 
Williams paragraph [0013], lines 5-9; paragraph [0050], lines 10-16: multiple 
servers, encrypted; paragraph [0020], lines 8-1 1 : validate (i.e. must decrypt in 
order to process) session information) 

d) a session management web service, accessible to said first server and said 
second server and including a validation component for comparing said session 
token with said stored session data; (see Williams paragraph [0020], lines 8-1 1 : 
session verification information) 

Furthermore, Williams discloses wherein said first request handler adapted to 
redirect the request to said second server, (see Williams paragraph [0067], lines 12- 
18: redirection capabilities) 
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Williams does not specifically disclose the transfer of session state information 
between two servers. 
However, Wood discloses: 

e) transmit the session information to said second server, (see Wood paragraph 
[0044], lines 8-14; paragraph [0051], lines 1-3: session token with redirection 
request; paragraph [0050], lines 15-17: direct transfer of parameters between two 
systems) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
to enable including transmitting said session token to the second server as taught by 
Wood. One of ordinary skill in the art would have been motivated to employ the 
teachings of Wood in order to enable the capability to upgrade session credentials 
and maintain session continuity, (see Wood paragraph [0016], lines 11-16) 

Williams does not specifically disclose transmitting said session ID and timestamp 
between systems. 

However, LEVY discloses transmitting said session !D and timestamp between 
systems. (LEVY paragraph [0070], lines 3-9: record is created; re cord consists of 
session Jd, date and time (timestamp)) 

The explicit transfer of a session \D and a timestamp (both parameters) between 
network-connected systems is disclosed. 

It would have been obvious to one of ordinary skill in the art to modify Williams 
for transmitting said session !D and timestamp between systems as taught by LEVY. 
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One of ordinary skill in the art would have been motivated to employ the teachings of 
LEVY to enable real-time monitoring of systems to greatly assist in the management 
of sessions between network-connected systems, (see LEVY paragraph [0027], 
lines 1-5) 



With Regards to Claim 14, Williams discloses the system claimed in claim 13, wherein 
said session management web service includes a token generator for creating a new 
session token for said second server, and wherein said second server includes a 
second request handler, said second request handler encrypting said new session 
token to produce a new encrypted session token and transmitting a response to said 
browser, wherein said response includes said new encrypted session token, (see 
Williams paragraph [0016], lines 7-10; paragraph [0016], lines 4-7: new session token 
generated and transferred; paragraph [0050], lines 10-16; paragraph [0051], lines 14- 
16: encrypted session token information) 



6. Claims 7, 8, 19, 20, 29, 30 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Williams-Wood-LEVY and further in view of Bachman et al. (US 
Patent No. 5,907,621). 



With Regards to Claims 7, 19, 29, Williams discloses the method, system, computer 
program product claimed in claims 1,14, 23. (see Williams paragraph [0050], lines 1-5 
time parameter usage and processing; paragraph [0016], lines 1-4: software 
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implementation, program product) 

Williams does not specifically disclose a time out processing capability. 
However, Bachman discloses wherein including determining whether a session has 
timed out, said step of determining including determining an elapsed time between said 
timestamp and a current server time, and comparing said elapsed time with a 
predetermined maximum time to determine whether said session has timed out. (see 
Bachman col. 1, lines 65-67: session management; col. 4, lines 11-17; col. 6, lines 10- 
19: process time out condition) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
process a time out condition as taught by Bachman. One of ordinary skill in the art 
would have been motivated to employ the teachings of Bachman to create a secure 
communications session between server and client systems and avoid distracting the 
client with the placement of token information within the page, (see Bachman col. 1 , 
lines 65-67; col. 2, lines 15-17) 

With Regards to Claims 8, 20, 30, Williams discloses the method, system, computer 
program product claimed in claims 7, 19, 29. (see Williams paragraph [0050], lines 1-5: 
time parameter usage and processing; paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams does not specifically disclose a time out processing capability. 

However Bachman discloses wherein includes closing said session if said session has 

timed out. (see Bachman col. 1, lines 65-67: session management; col. 4, lines 11-17; 
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col. 6, lines 10-19: process time out condition, session erased, closed) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
process a time out condition as taught by Bachman. One of ordinary skill in the art 
would have been motivated to employ the teachings of Bachman to create a secure 
communications session between server and client systems and avoid distracting the 
client with the placement of token information within the page, (see Bachman col. 1 , 
lines 65-67; col. 2, lines 15-17) 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carlton V. Johnson whose telephone number is 571- 
270-1032. The examiner can normally be reached on Monday thru Friday , 8:00 - 
5:00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
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you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Nasser G Moazzami/ Carlton V. Johnson 

Supervisory Patent Examiner, Art Unit 2436 Examiner 

Art Unit 2436 



CVJ 

August 3, 2009 



